• PC World
• » Networking & Wireless

Amateur wireless LAN "sniffers" detected hundreds and potentially thousands of insecure industry-standard wireless LANs in businesses and homes in North America and Europe during the past week in a loosely organized electronic scavenger hunt dubbed the Worldwide Wardrive.

Security analysts and wireless LAN industry executives said the results of the weeklong Worldwide Wardrive posted to the Security Tribe Web site indicate that many wireless LAN users still fail to use the most elementary form of security to protect their systems.

The Worldwide Wardrive, conducted between August 31 and September 7 by people who describe themselves as hobbyists, was an exercise in detecting wireless LANs using NetStumbler freeware, available on the Web. But malevolent hackers and industrial or foreign espionage agents could easily exploit the holes they found, analysts said. The logs posted on the Security Tribe Web site include precise GPS-derived latitude and longitude data of the wireless LAN access points (APs) detected during the Worldwide Wardrive--information that could also serve as an intelligence tool.

Homes Most Vulnerable

The term war driving is derived from the "war-dialing" exploits of the teenage hacker character in the 1980s movie War Games, who has his computer randomly dial hundreds of numbers and eventually winds up tapping into a nuclear command-and-control system.

The practice has grown in popularity, both by hackers trying to educate LAN managers of their vulnerability and by people trying to tap into bandwidth or data. Some war drivers have even taken to flight to find open wireless nets.

The war-driving participants sniffed such major technology and business centers as Silicon Valley and Orange and San Diego counties in California, as well as Chicago, Cleveland, Denver, and the province of Alberta, Canada. In Europe, the war drivers sniffed Barcelona, Spain, and Cologne, Germany.

Home installations accounted for the majority of APs detected in the Worldwide Wardrive exercise, which was easily determined based on the hundreds of systems broadcasting a Service Set Identifier (SSID)--an ID of up to 32 characters continuously transmitted by an 802.11b or Wi-Fi AP operating in the 2.4-GHz band--or a "linksys" SSID, which is used by Irvine, California-based Linksys Group as the default for its line of low-cost home wireless LAN systems.

Careless Corporations

But the hobbyists also detected hundreds of potentially vulnerable corporate and government networks, according to analysts. That assumption is based on the discovery of many APs with an SSID of "tsunami," which is used as a default by Cisco Systems for its wireless LAN products.

Chris Kozup, an analyst at Meta Group in Stamford, Connecticut, said the use of a tsunami default SSID indicates that the wireless network is probably a business or government AP, considering the high cost of Cisco equipment (just under $1000). In contrast, home equipment from Linksys sells for as little as $123.

Kozup, who examined the war-drive files and logs from last week, said the fact that hundreds of business and consumer users around the world continue to broadcast SSIDs indicates that neither CIOs nor home users have taken to heart highly publicized wireless LAN security warnings. Turning off an AP SSID is at the most basic level of wireless LAN security, Kozup said.

He added that the use of default SSIDs indicates another potential security breach: failure to turn on built-in Wired Equivalent Privacy encryption. "If the default SSID is not turned off, that's a fairly good indication that WEP is not turned on," Kozup said. Wireless LANs are shipped from the factory with WEP off.

Nick Jacobsen, a hobbyist wireless LAN sniffer, said in a post on the C4i.org mailing list that he detected 69 wireless LANs in a 4-hour war drive of Portland, Oregon, last week. While riding his bicycle, Jacobsen detected 80 APs, out of which 69 were broadcasting SSIDs and not using WEP. He detected only seven APs with WEP that weren't broadcasting an SSID and just four that had WEP enabled and SSID broadcast turned off.

Kurt Seifried, an Alberta sniffer, said in a post on the Attrition.org mailing list that he encountered a slew of unencrypted wireless LANs in his war drive of Edmonton. Between 75 percent and 80 percent of the wireless LANs Seifried detected were unencrypted, he said.

Room for Improvement

Brian Grimm, a spokesperson for the Wireless Ethernet Compatibility Alliance, a wireless LAN industry trade group, agreed with Kozup that security begins with SSIDs.

"Everyone should turn off their SSIDs," Grimm said. Enterprises, he said, should beef up their security with virtual private networks and filtering of Media Access Control (MAC) addresses. Each piece of hardware on a network has a unique MAC address, and filtering these addresses reduces the possibility of a hacker mapping and penetrating a network.

The large number of insecure LANs detected during Worldwide Wardrive week should serve as a wake-up call to corporate IT departments, Kozup said. "This is more fodder that the enterprise needs to be taking a more activist approach to wireless LAN security," he said.

Kozup added that he is somewhat heartened by the relatively small number of tsunami default SSIDs detected, as well as by the systems broadcasting no SSID, which indicates to him that "enterprises are doing a better job" than they have in the past.

• See more like this:
• LAN,
• local area network,
• sniff,
• sniffer,
• sniffing,
• security,
• wardrive,
• wardriving,
• war drive,
• war driving,
• GPS,
• wireless,
• NetStumbler,
• Security Tribe,
• Service Set Identifier,
• SSID,
• Wi-Fi,
• Wired Equivalent Privacy,
• WEP